Skip to content

Direct Syscall in Windows Meterpreter #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dledda-r7 wants to merge 21 commits into
base: master
Choose a base branch
from
Open

Direct Syscall in Windows Meterpreter #777

dledda-r7 wants to merge 21 commits into from

Conversation

@dledda-r7
Copy link
Contributor

@dledda-r7 dledda-r7 commented Oct 8, 2025
edited
Loading

Direct Syscall in Metsrv

This PR kickstart the usage of the direct syscall implemented by @cdelafuente-r7 in the ReflectiveDllInjection repository. The scopes of this PR are:

Extending the WINAPI

With the initial winapi work we started defining wrappers for system calls for mainly two reasons:

  1. remove the system function from the function import
  2. be able to control the implementation and use direct syscell when possible

Easier direct-syscall loader

Creation of helpers to speedup the extension of direct syscall.
To add new syscalls we need to include the syscall name and the expected arguments to the NtDllFunction lpFunctionsTobeLoaded array and extend the enum NtDllSyscall with the new system call, then we can proceed with the creation of the wrappers and the optional export to themet_api interface.

This pr include the wrappers for the ~90% of function used within metsrv.
Not all of them has been used and this is outside of the scope of this PR. smaller PRs will be done to cover smaller area of the codebase to speedup the testing.

TODO:

  • Make standard wrappers for all the other meterpreter functions
  • Expose the Zw Functions on met_api
  • Add GetProcAddrH
  • Remove strings
Migration with Direct Syscall 
DebugString: "[1384] [MIGRATE] Attempting to migrate. ProcessID=1708, Arch=x64"
DebugString: "[1384] [MIGRATE] Attempting to migrate. PayloadLength=291840 StubLength=317"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [MIGRATE] Got SeDebugPrivilege!"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 00000000005ECC90"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECD00; dwCryptedHash = 00000000D33D4AED"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC960; dwCryptedHash = 00000000F0D09D60"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005EC9B0; dwCryptedHash = 00000000C5D0A4C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA00; dwCryptedHash = 000000003DEFA5C2"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECA50; dwCryptedHash = 00000000BC3F4D89"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAA0; dwCryptedHash = 000000004FD39C92"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000005ECAF0; dwCryptedHash = 00000000DE63B5C3"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 00007FFF82F0D7E8, dwSyscallNr: 24"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 00007FFF82F0D9A8, dwSyscallNr: 38"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00007FFF82F0DC28, dwSyscallNr: 58"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 00007FFF82F0DCC8, dwSyscallNr: 63"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 00007FFF82F0DEE8, dwSyscallNr: 80"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 00007FFF82F0D948, dwSyscallNr: 35"
DebugString: "[1384] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00007FFF82F0D8A8, dwSyscallNr: 30"
DebugString: "[1384] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0"
DebugString: "[1384] [MIGRATE] creating the configuration block"
DebugString: "[1384] [CONFIG] preparing the configuration"
DebugString: "[1384] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes"
DebugString: "[1384] [CONFIG] Comms handle set to 00000000000001A4"
DebugString: "[1384] [CONFIG] Total of 1614 bytes located at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Config of 1614 bytes stashed at 0x00000000005D9800"
DebugString: "[1384] [MIGRATE] Duplicated Event Handle: 0x3d4"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate stub: 0x000002C991350000 -> 317 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate context: 0x000002C99135013D -> 388 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Migrate payload: 0x000002C9913502C1 -> 291840 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [MIGRATE] Configuration: 0x000002C9913976C1 -> 1614 bytes"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFF82EAE4E0"
DebugString: "[1384] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2"
DebugString: "[1384] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: 00007FFF82F0D800 NtQueryObject: 00007FFF82F0D6E0"
DebugString: "[1384] [INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: 00007FFF82F10930"
DebugString: "[1384] [INJECT][inject_via_poolparty] using: poolparty_stub_x64"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] ctx [000002C9913A0112] lpStartAddress: 000002C991350000 lpParameter 000002C99135013D hTriggerEvent 00000000000003E0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty] Attempting injection with variant POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 00000000C0000004"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc lpProcessInfo: 00000000025FA3A0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 0000000000000000"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000025FA3A0 dwInformationSizeIn: 9936"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] lpObjectInfo: 00000000025FCAA0"
DebugString: "[1384] [INJECT][inject_via_poolparty][get_remote_handle] hHijackHandle: 00000000000003AC"
DebugString: "[1384] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0"
DebugString: "[1384] [INJECT][inject_via_poolparty][remote_tp_wait_insertion] ZwSetIoCompletion: 0"
DebugString: "[1384] [INJECT] inject_via_poolparty: injected!"
DebugString: "[1384] [INJECT] inject_via_poolparty: Sending a migrate response..."
DebugString: "[1384] [TRANSMIT] Sending packet to the server"

@dledda-r7 dledda-r7 marked this pull request as ready for review October 16, 2025 15:11
@dledda-r7 dledda-r7 changed the title WIP: Direct Syscall in Windows Meterpreter Direct Syscall in Windows Meterpreter Oct 16, 2025
@msutovsky-r7 msutovsky-r7 self-assigned this Oct 17, 2025
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
dledda-r7
dledda-r7 commented Oct 17, 2025
View reviewed changes
cdelafuente-r7
cdelafuente-r7 reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @dledda-r7 ! I'm happy to see metsrv will benefit from Direct Syscalls now. Great job!

I left a few minor comments for you to review when you get a chance.

@dledda-r7 dledda-r7 force-pushed the feat/metsrv-direct-syscall branch from f50ddbc to 8cf5e33 Compare October 27, 2025 14:16
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Jan 16, 2026

Win 11 x64

[08d0] [MIGRATE] Attempting to migrate. ProcessID=6004, Arch=x64
[08d0] [MIGRATE] Attempting to migrate. PayloadLength=316928 StubLength=317
[08d0] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFA9841F0A0
[08d0] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2
[08d0] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0
[08d0] [MIGRATE] Got SeDebugPrivilege!
[08d0] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFA96D901E0
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 00000000005558F0
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA7A0; dwCryptedHash = 00000000D33D4AED
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA540; dwCryptedHash = 00000000F0D09D60
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA2A0; dwCryptedHash = 00000000C5D0A4C2
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA380; dwCryptedHash = 000000003DEFA5C2
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA040; dwCryptedHash = 00000000BC3F4D89
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA6E0; dwCryptedHash = 000000004FD39C92
[08d0] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024AA600; dwCryptedHash = 00000000DE63B5C3
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 00007FFA9848F6E8, dwSyscallNr: 24
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 00007FFA9848F8A8, dwSyscallNr: 38
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00007FFA9848FB28, dwSyscallNr: 58
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 00007FFA9848FBC8, dwSyscallNr: 63
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 00007FFA9848FDE8, dwSyscallNr: 80
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 00007FFA9848F848, dwSyscallNr: 35
[08d0] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00007FFA9848F7A8, dwSyscallNr: 30
[08d0] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0
[08d0] [MIGRATE] creating the configuration block
[08d0] [CONFIG] preparing the configuration
[08d0] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes
[08d0] [CONFIG] Comms handle set to 00000000000001A4
[08d0] [CONFIG] Total of 1614 bytes located at 0x00000000024B17B0
[08d0] [MIGRATE] Config of 1614 bytes stashed at 0x00000000024B17B0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [MIGRATE] Duplicated Event Handle: 0x314
[08d0] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[08d0] [MIGRATE] Migrate stub: 0x0000020E091C0000 -> 317 bytes
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [MIGRATE] Migrate context: 0x0000020E091C013D -> 388 bytes
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [MIGRATE] Migrate payload: 0x0000020E091C02C1 -> 316928 bytes
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [MIGRATE] Configuration: 0x0000020E0920D8C1 -> 1614 bytes
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFA9841F0A0
[08d0] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2
[08d0] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0
[08d0] [INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: 00007FFA9848F700 NtQueryObject: 00007FFA9848F5E0
[08d0] [INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: 00007FFA984929D0
[08d0] [INJECT][inject_via_poolparty] using: poolparty_stub_x64
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[08d0] [INJECT][inject_via_poolparty] ctx [0000020E08990112] lpStartAddress: 0000020E091C0000 lpParameter 0000020E091C013D hTriggerEvent 00000000000001C8
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [INJECT][inject_via_poolparty] Attempting injection with variant POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 0000000002663C50
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 00000000C0000004
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc lpProcessInfo: 0000000002663C50
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 0000000000000000
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 0000000002663C50 dwInformationSizeIn: 9776
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] lpObjectInfo: 0000000002666290
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFA96D901E0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFA96D901E0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFA96D901E0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFA96D901E0
[08d0] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFA96D901F0
[08d0] [INJECT][inject_via_poolparty][get_remote_handle] hHijackHandle: 0000000000000310
[08d0] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[08d0] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[08d0] [INJECT][inject_via_poolparty][remote_tp_wait_insertion] ZwSetIoCompletion: 0
[08d0] [INJECT] inject_via_poolparty: injected!
[08d0] [INJECT] inject_via_poolparty: Sending a migrate response...

@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Jan 16, 2026
edited
Loading

Win 10 x64

[1bf4] [MIGRATE] Attempting to migrate. ProcessID=4072, Arch=x64
[1bf4] [MIGRATE] Attempting to migrate. PayloadLength=316928 StubLength=317
[1bf4] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFCE83518B0
[1bf4] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2
[1bf4] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0
[1bf4] [MIGRATE] Got SeDebugPrivilege!
[1bf4] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFCE8224880
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 0000000002492740
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8910; dwCryptedHash = 00000000D33D4AED
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8650; dwCryptedHash = 00000000F0D09D60
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A87D0; dwCryptedHash = 00000000C5D0A4C2
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8670; dwCryptedHash = 000000003DEFA5C2
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8B10; dwCryptedHash = 00000000BC3F4D89
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8B30; dwCryptedHash = 000000004FD39C92
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024A8810; dwCryptedHash = 00000000DE63B5C3
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 00007FFCE83AB088, dwSyscallNr: 24
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 00007FFCE83AB248, dwSyscallNr: 38
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00007FFCE83AB4C8, dwSyscallNr: 58
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 00007FFCE83AB568, dwSyscallNr: 63
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 00007FFCE83AB788, dwSyscallNr: 80
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 00007FFCE83AB1E8, dwSyscallNr: 35
[1bf4] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00007FFCE83AB148, dwSyscallNr: 30
[1bf4] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0
[1bf4] [MIGRATE] creating the configuration block
[1bf4] [CONFIG] preparing the configuration
[1bf4] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes
[1bf4] [CONFIG] Comms handle set to 000000000000018C
[1bf4] [CONFIG] Total of 1614 bytes located at 0x000000000249D360
[1bf4] [MIGRATE] Config of 1614 bytes stashed at 0x000000000249D360
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [MIGRATE] Duplicated Event Handle: 0x1314
[1bf4] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[1bf4] [MIGRATE] Migrate stub: 0x00000000031C0000 -> 317 bytes
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [MIGRATE] Migrate context: 0x00000000031C013D -> 388 bytes
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [MIGRATE] Migrate payload: 0x00000000031C02C1 -> 316928 bytes
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [MIGRATE] Configuration: 0x000000000320D8C1 -> 1614 bytes
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [INJECT][supports_poolparty_injection] RtlGetVersion: 00007FFCE83518B0
[1bf4] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2
[1bf4] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 10 os.dwMinorVersion: 0
[1bf4] [INJECT][inject_via_poolparty][ntdll_init] NtQueryInformationProcess: 00007FFCE83AB0A0 NtQueryObject: 00007FFCE83AAF80
[1bf4] [INJECT][inject_via_poolparty][ntdll_init] ZwSetIoCompletion: 00007FFCE83AE190
[1bf4] [INJECT][inject_via_poolparty] using: poolparty_stub_x64
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[1bf4] [INJECT][inject_via_poolparty] ctx [0000000003210112] lpStartAddress: 00000000031C0000 lpParameter 00000000031C013D hTriggerEvent 0000000000001348
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [INJECT][inject_via_poolparty] Attempting injection with variant POOLPARTY_TECHNIQUE_TP_DIRECT_INSERTION
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000024AC690
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 00000000C0000004
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] HeapReAlloc lpProcessInfo: 00000000024B5A30
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] NtQueryInformationProcess() : 0000000000000000
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] lpProcessInfo: 00000000024B5A30 dwInformationSizeIn: 71136
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] lpObjectInfo: 00000000024C7020
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFCE8224880
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFCE8224880
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 00007FFCE8224880
[1bf4] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 00007FFCE8224890
[1bf4] [INJECT][inject_via_poolparty][get_remote_handle] hHijackHandle: 0000000000000364
[1bf4] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[1bf4] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[1bf4] [INJECT][inject_via_poolparty][remote_tp_wait_insertion] ZwSetIoCompletion: 0
[1bf4] [INJECT] inject_via_poolparty: injected!
[1bf4] [INJECT] inject_via_poolparty: Sending a migrate response...

@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Jan 16, 2026

Win 7 x64

[0aec] [MIGRATE] Attempting to migrate. ProcessID=2460, Arch=x64
[0aec] [MIGRATE] Attempting to migrate. PayloadLength=316928 StubLength=317
[0aec] [INJECT][supports_poolparty_injection] RtlGetVersion: 0000000077939380
[0aec] [INJECT][supports_poolparty_injection] dwSourceArch: 2 dwDestinationArch: 2
[0aec] [INJECT][supports_poolparty_injection] os.dwMajorVersion: 6 os.dwMinorVersion: 1
[0aec] [MIGRATE] Got SeDebugPrivilege!
[0aec] [WINAPI][winapi_kernel32_CloseHandle] Calling CloseHandle @ 0000000077812F80
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpWinApiSyscalls = 000000000034B2A0
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA430; dwCryptedHash = 00000000D33D4AED
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA450; dwCryptedHash = 00000000F0D09D60
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA3F0; dwCryptedHash = 00000000C5D0A4C2
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA410; dwCryptedHash = 000000003DEFA5C2
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA470; dwCryptedHash = 00000000BC3F4D89
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA490; dwCryptedHash = 000000004FD39C92
[0aec] [WINAPI][GetOrInitWinApiSyscalls] lpSyscall = 00000000024FA4B0; dwCryptedHash = 00000000DE63B5C3
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 0 pStub: 0000000077961498, dwSyscallNr: 21
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 1 pStub: 0000000077961578, dwSyscallNr: 35
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 2 pStub: 00000000779616B8, dwSyscallNr: 55
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 3 pStub: 0000000077961708, dwSyscallNr: 60
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 4 pStub: 0000000077961818, dwSyscallNr: 77
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 5 pStub: 0000000077961548, dwSyscallNr: 32
[0aec] [WINAPI][GetOrInitWinApiSyscalls] Index: 6 pStub: 00000000779614F8, dwSyscallNr: 27
[0aec] [WINAPI][winapi_kernel32_OpenProcess] Syscall ZwOpenProcess returned: 0
[0aec] [MIGRATE] creating the configuration block
[0aec] [CONFIG] preparing the configuration
[0aec] [CONFIG] Allocating 1036 bytes for transport, total of 1604 bytes
[0aec] [CONFIG] Comms handle set to 00000000000000A0
[0aec] [CONFIG] Total of 1614 bytes located at 0x000000000034D090
[0aec] [MIGRATE] Config of 1614 bytes stashed at 0x000000000034D090
[0aec] [WINAPI][winapi_kernel32_DuplicateHandle] Calling DuplicateHandle @ 0000000077805D10
[0aec] [MIGRATE] Duplicated Event Handle: 0x6e0
[0aec] [WINAPI][winapi_kernel32_VirtualAllocEx] Syscall ZwAllocateVirtualMemory returned: 0
[0aec] [MIGRATE] Migrate stub: 0x0000000004290000 -> 317 bytes
[0aec] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[0aec] [MIGRATE] Migrate context: 0x000000000429013D -> 388 bytes
[0aec] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[0aec] [MIGRATE] Migrate payload: 0x00000000042902C1 -> 316928 bytes
[0aec] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[0aec] [MIGRATE] Configuration: 0x00000000042DD8C1 -> 1614 bytes
[0aec] [WINAPI][winapi_kernel32_WriteProcessMemory] Syscall ZwWriteVirtualMemory returned: 0
[0aec] [INJECT] inject_via_remotethread: succeeded
[0aec] [INJECT] inject_via_remotethread: Sending a migrate response...

@dledda-r7
feat(windows/metsrv): Initial support for Direct Syscall
bb092aa
@dledda-r7
feat: direct syscall for memory managment and process open
43bfded
@dledda-r7
fix: fix direct syscall, adding logging
259c4ce
@dledda-r7
feat(windows/metsrv): extending kernel32 in met_api, adding wrappers …
9d09155 
…for majority of metsrv imports
@dledda-r7
feat(windows/metsrv): exposing ntdll to met_api and updating kernel32…
6fe4e22 
… calls to use wrapper
@dledda-r7
feat(windows/metsrv): expanding kernel32 wrappers, updating kernel32 …
d811b2b 
…calls to use wrapper
@dledda-r7
fix: fixing compilation issue on stdapi
3a95634
@dledda-r7
fix: removing duplicated code, fixing compiling issue
9c6ffbb
@dledda-r7
fix: fix MSVC compiler issue
e4ee7f3
@dledda-r7
fix: fix MSVC compiler issue
bd17273
@dledda-r7
fix: apply review changes
0adcf55
@dledda-r7
feat: add advapi32, crypt32, user32, ws_32, wininet, rpcrt4, winhttp …
85dbc75 
…to winapi
@dledda-r7
fix: fix compile issue with stdapi
1003bce
@dledda-r7
fix: fix compile issue with MSVC
9582117
@dledda-r7
fix: defaulting to wininet for winapi, fixing python extension compil…
592003f 
…e on MSVC
@dledda-r7
fix: add GetProcAddressH on winapi
308c91e
@dledda-r7
fix: MSVC compile issue fix
f6e2ec9
@dledda-r7
feat: remove function strings, use hashes
d316085
@dledda-r7
fix: include WINAPI on function pointer declaration for x86 support
f412a3f
@msutovsky-r7 msutovsky-r7 moved this from Todo to In Progress in Metasploit Kanban Jan 22, 2026
@dledda-r7 dledda-r7 force-pushed the feat/metsrv-direct-syscall branch from 3448ff8 to 341c722 Compare January 23, 2026 12:15
@cdelafuente-r7 cdelafuente-r7 self-assigned this Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

Assignees

@cdelafuente-r7 cdelafuente-r7

@msutovsky-r7 msutovsky-r7

Labels

None yet

Projects

Metasploit Kanban
Status: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dledda-r7 @msutovsky-r7 @cdelafuente-r7